Hi, Can NXLog collect and emit metrics on Linux and Windows? It looks like Windows can be achieved with im_winperfcount but I haven't found metrics for Linux. Does this exist in the Enterprise Edition? Thanks!

How to fix output log file name abnormal Ext. WAP01.tks.co.th-",&quot;Sec-Fetch-Mode&quot;.log WAP01.tks.co.th-\r\n-.log WAP01.tks.co.th-l+xml,application.log My configuration NXlog This is a sample NXLog configuration file created by Loggly. June 2013 See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog #define ROOT_STRING C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Include fileop while debugging, also enable in the output module below #<Extension fileop> Module xm_fileop #</Extension> <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security">*</Select> </Query> </QueryList> </Input> <Output out> Module om_tcp Host 10.6.5.133 Port 514 Exec $Hostname = hostname_fqdn(); Exec $SyslogFacility = 2; #Exec $SourceName = 'eventlogs'; #Exec to_syslog_bsd(); #Exec to_syslog_snare(); Exec to_syslog_ietf(); Exec $Message = to_json(); to_syslog_bsd(); </Output> <Route 1> Path in => out </Route> I want to . Input <Select Path="Application"></Select>\ ---> output hostname.application.log Input <Select Path="System"></Select>\ ---> output hostname.system.log Input <Select Path="Security">*</Select>\ ---> output hostname.security.log

I have a SaaS vendor that uses NXLog to send logs to customers and I would like them to send to an Azure Event Hub that has Kafka enabled so we don't need to use VPNs. I'm able to connect and produce messages to the topic with python and logstash but they seem to be having issues with NXLog. This is the error they tell me they are getting: 2020-04-09 09:41:27 ERROR rdkafka: [thrd:sasl_ssl://servername.servicebus.windows.net:9093/boots]: sasl_ssl://servername.servicebus.windows.net:9093/bootstrap: SASL GSSAPI mechanism handshake failed: Local: Broker transport failure: broker's supported mechanisms: (n/a) (after 0ms in state DOWN) Azure seems to have specific requirements/limitations, the configuration below works for logstash and it uses sasl_jaas_config to pass the authentication data: output { kafka { codec => json topic_id => "kafkatopic" bootstrap_servers => "eventhubname.servicebus.windows.net:9093" client_id => "azshrelasea01p" compression_type => "none" sasl_jaas_config => "org.apache.kafka.common.security.plain.PlainLoginModule required username='$ConnectionString' password='Endpoint=<eventhubconnectionstring>';" sasl_mechanism => "PLAIN" security_protocol => "SASL_SSL" ssl_truststore_password => "password" ssl_truststore_location => "/elastic/trust.jks" ssl_truststore_type => "jks" batch_size => 250 linger_ms => 6000 } } Looking around the internet, it seems that librdkafka has some requirements that have to be met but I don't know how the nxlog config would look to implement these: https://github.com/Azure/azure-event-hubs-for-kafka/issues/51 https://brokenco.de/2019/04/04/azure-eventhubs-rust.html Anyone have any experience with this or could help me convert these logstash configs to a nxlog one? It looks like I need to use the Option function and pass the settings there for librdkafka but I don't have a lot of experience with NXLog. Thanks!

I am trying to ship Windows logs to Graylog using Nxlog and when trying to apply my configuration, the Sidecar gives me the following error: ERROR Couldn't open nxlog service; The specified service does not exist as an installed service. Any idea what could be wrong? I followed the instructions here https://docs.graylog.org/en/3.2/pages/sidecar.html#nxlog-on-windows to set it up. Thank you.

Hello, I am having the problem that nothing is sent to the server and I dont know why. Here is my config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% LogLevel INFO Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> define BASEDIR C:\MessageTracking <Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK*-*.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> <Output out_exchange> Module om_udp Host 10.2.1.22 Port 5141 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output> <Route exchange> Path in_exchange => out_exchange </Route> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension>

Hi, I have this type of input in nxlog.conf: <Input udp> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); to_json(); perl_call("process"); </Input> My question is, how should I include that JSON output that I get from to_json() to my perl code? Should I write like this?: my ( $event ) = @_; Or it's only the output of parse_syslog_bsd() (as in example for xm_perl https://nxlog.co/documentation/nxlog-user-guide/xm_perl.html)? More generally, my question is how to include JSON output that i get from to_json() to perl code of xm_perl module?

Hi all, How do I divide my NxLog configuration file into conditionals based on queries? I have an nxlog.conf that doesn't apply equally to all hosts, and NxLog fails if it has to query something that doesn't exist on a Windows server. I'd like to keep 1 nxlog.conf for all servers instead of having to maintain many confs for a variety of servers. In psuedocode: if [ exists Microsoft-Windows-TerminalServices ] then <query id="3"> <Select Path="Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational">*</Select> </query> However I'm having a hard time translating a lot of the "if statements" I see to NxLog query formats.. anyone have any resources or tips to guide me? Here's what I tried, obviously wrong, <Exec> cannot be in <QueryList> <Exec> if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational') <Query id="3"> <Select Path="Microsoft-Windows-TerminalServices-SessionBroker/Operational">*</Select> </Query> </Exec> Also tried: <Exec> if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational') \ <QueryXML> \ <QueryList> \ <Query id="3"> \ <Select Path="Microsoft-Windows-TerminalServices-SessionBroker/Operational">*</Select> \ </Query> \ </QueryList> \ </QueryXML> </Exec> </Input> Thanks for your help.

I am configuring the NXLog to Elastic Search Server using om_elasticserch, but it doesnt connect Here is the nxlog.conf file: User root Group system Panic Soft default values: PidFile /opt/nxlog/var/run/nxlog/nxlog.pid CacheDir /opt/nxlog/var/spool/nxlog ModuleDir /opt/nxlog/lib/nxlog/modules ModuleDir /opt/nxlog/libexec/nxlog/modules SpoolDir /opt/nxlog/var/spool/nxlog define CERTDIR /opt/nxlog/var/lib/nxlog/cert define CONFDIR /opt/nxlog/var/lib/nxlog Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR /opt/nxlog/var/log/nxlog define MYLOGFILE %LOGDIR%/nxlog.log <Extension _json> Module xm_json </Extension> <Input file> Module im_file File '/<path/to/my/logfile/*log' # Parse log here if needed # $EventTime should be set here </Input> <Output out> Module om_elasticsearch URL http://linuxServer:9200/_bulk FlushInterval 2 FlushLimit 100 # Create an index daily Index strftime($EventTime, &quot;nxlog-%Y%m%d&quot;) # Use the following if you do not have $EventTime set #Index strftime($EventReceivedTime, &quot;nxlog-%Y%m%d&quot;) </Output> By default, LogFile %MYLOGFILE% is set in log4ensics.conf. This allows the log file location to be modified via NXLog Manager. If you are not using NXLog Manager, you can instead set LogFile below and disable the include line. LogFile %MYLOGFILE% #include %CONFDIR%/log4ensics.conf <Extension _syslog> Module xm_syslog </Extension> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in log4ensics.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> NXlog is starting, but it waiting to connect to ElasticSearch server, not proceeding further. Here is the log in nxlog.log. And I could not see nxlog* index patter in Kibana 2020-03-31 09:37:44 WARNING already running as gid 0 2020-03-31 09:37:44 WARNING already running as uid 0 2020-03-31 09:37:44 WARNING no routes defined! 2020-03-31 09:37:44 WARNING default route added 2020-03-31 09:37:44 INFO nxlog-4.7.4715 started 2020-03-31 09:37:44 INFO om_elasticsearch_add_reconnect_event reconnecting in 0 seconds 2020-03-31 09:37:44 INFO connecting to linuxServer:9200 Any help on this is appricaited. Thanks in advance Santosh

Hi, Can NXLog be configured to automatically hide confidential information (PII) like credit card numbers, social security numbers, etc? I thought you could maybe use Regex but thought there might be a better way (like a module) since this is a pretty common thing to do. Thanks in advance!!

Please, could you advise how to skip (drop) certain number of next log lines after the $raw_event matches (Exec if $raw_event =~ / .... / drop();) ??? Thanks!

Hi, I am using NXLog's <Input MSEvtIN> module to forward Windows Event Logs to a syslog server. The problem I am facing is with MTU Size. The default MTU across is 1500 (i.e. 1472 Bytes actual length) But there are many events in windows which are much larger than 1472. Those events having length greater than 1472 bytes are getting truncated at 1472 and received partially on the syslog server. This is creating a problem for my SIEM to parse the logs. Can anyone please help me in diagnosing and resolving this? What I know about MTU is, if the packets are greater than 1472 bytes, MTU Fragmentation is used. I don't know how to enable this fragmentation setting in NXLog. ################ #============ Define ROOT here =================== #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog #============ NXLog Machine Log info ============= Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #=========== For Windows Event Log =========== <Extension json> Module xm_json </Extension> <Input MSEvtIN> # For windows 2003 and earlier use the following: #Module im_mseventlog # For windows 2005 and later use the following: Module im_msvistalog Exec to_json(); </Input> <Output MSEvtOUT> Module om_udp Host DNIF-Adapter-IP Port 514 </Output> <Route 1> Path MSEvtIN => MSEvtOUT </Route>

Hello, I would like a simple help, I have a syslog server which I need to send logs from a file that is in xml to another syslog. My configuration is as follows: [...] <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_file File '/var/log/alerts' </Input> <Output out> Module om_udp Host xx.xxx.x.x Port 514 </Output> <Route 1> Path in => out </Route> Where "/var/log/alerts" are the xml logs that I want to send. Is there any additional configuration I should put in my conf or is it just that? Thanks

Hi there, We have one of our client that is looking to upgrade their NXLog to the enterprise edition.How do I contact a sales rep from NXLog to get the license quote for our client? We are based in Malaysia by the way.

I've noticed that the "GroupMembership" and "full_message" fields in Windows security logs for EventID 4627 contains unresolved Group SIDs (at least they look like SIDs to me). Event 4627 is generated along with event 4624 (successful account logon) and shows the entire list of groups that the particular logged-on account belongs to. This shows a list of groups that the user is a member of in Windows Event Viewer, but it looks like the following in our output stream: Group Membership: %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-123} %{S-1-1-0} ... %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234} %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2345} %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-3456} I am running version 4.7.4715 64-bit Enterprise Edition (non-trial) and my config file has the input defined as: <Input in> # For windows vista/2008 and above use: Module im_msvistalog ResolveSID TRUE </Input> The username seems to be resolving correctly (or at least the "TargetUserSid"/"TargetUserName" fields both show a valid username and not a SID), so I believe the "ResolveSID" option is working correctly for usernames. I would like to be able to read the group membership information in a human-readable format rather than SIDs. I thought that "ResolveSID TRUE" would convert all instances of SIDs into human-readable format. I'm a little confused on the implementation specifics because I see the documentation (https://nxlog.co/documentation/nxlog-user-guide/im_msvistalog.html) only specifically mentions user names "ResolveSID This optional boolean directive specifies that SID values should be resolved to user names in the ...", so am I wrong in assuming that group membership SIDs would also be resolved since they are not user names? My questions are: Should the group SIDs be resolving into human-readable format when ResolveSID=true? Or is the expected behaviour that they remain as SIDs? If this is expected behaviour, are there any plans for incorporating this feature in a later release of NXLog? Is there anyway I can convert the group SIDs into human-readable format? If this is not expected behaviour, how can I troubleshoot this further?

I've amassed a number of EventIDs I think I want to monitor on my Win10 host. However, the error I'm receiving is: .\nxlog.exe -v INFO configuration OK .\nxlog.exe -f INFO nxlog-ce-2.10.2150 started ERROR failed to subscribe to msvistalog events using bookmark: the specified query is invalid. ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementaiton of the filter.; [error code: 15001] The weird part is, when I remove multiple lines it works. However, when I test each line individually, it works. I assume there is a conflict between them (e.g. duplicate eventIDs). Below is the configuration and associated examples Complete but fails .conf #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGFILE%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension gelf> Module xm_gelf <Extension> <input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'> (EventID=550) or (EventID=612) or (EventID=801) or (EventID=1102) or (EventID=1104) or (EventID=1108) or (EventID=4608) or (EventID=4616) or ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) or ((EventID=4648) and (TargetDomainName="domain.net")) or (EventID=4649) or ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or ((EventID=5140) and (ShareName!="\\*C$")) or ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) </Select> </Query> </QueryList> </QueryXML> </Input> <Output graylog> Module om_udp Host 192.168.1.1 Port 55555 OutputType GELF_UDP </Output> <Route toGraylog> Path eventlog => graylog </Route> Cut out from above. Succeeds: <input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'> (EventID=550) or (EventID=612) or (EventID=801) or (EventID=1102) or (EventID=1104) or (EventID=1108) or (EventID=4608) or (EventID=4616) or ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) ((EventID=4648) and (TargetDomainName="domain.net")) or (EventID=4649) or ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or ((EventID=5140) and (ShareName!="\\*C$")) or ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) </Select> </Query> </QueryList> </QueryXML> </Input> Fails: (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) Succeeds (Removed bottom 5): (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) Succeeds (Added bottom 5 back and removed top 5): (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) Thank you!

I'm trying to query a local Sybase database using NXLog and then write the output to a file. So far I'm unable to connect to the database. NXLog is saying that there are no drivers present. I'm running this on Centos7. I'm not seeing any database drivers available. Do I need to download these drivers separately? What's the name of the correct driver for Sybase? Where would I find the correct file? 2020-03-09 12:02:18 INFO nxlog-ce-2.10.2150 started 2020-03-09 12:02:18 ERROR failed to open tmp/output;No such file or directory 2020-03-09 12:02:18 ERROR dbi_initialize failed, no drivers present? Config below: <Input dbi> Module im_dbi Driver Sybase Option host 127.0.0.1 Option username ******** Option password ******** Option dbname ******** SQL SELECT * from ******* </Input> <Output file> Module om_file File "tmp/output.out" </Output> <Route dbi_to_file> Path dbi => file </Route> Any help would be appreciated. Thanks in advance!!

For some reason I realized NXlog wasn't sending logs to graylog (after previously doing so flawlessly) I went to the Nxlog log and found this just before it stopped responding: What does this mean? I can't find anything online, but I know the udp arguments work because restarting nxlog works fine. 2020-03-09 08:29:36 ERROR om_udp apr_socket_send failed; An invalid argument was supplied. However, Graylog received a message 20ms later from that machine (the last message that was sent before nxlog went offline) Any ideas?

We are using a graylog server in hopes to capture 2 things (Logons and Disk Errors). NXlog is forwarding most logon attempts, but not all of them for some reason. NXlog is not forwarding any Disk error logs. Here is my config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> define LogonEventIds 4648 <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%LogonEventIds%) drop(); </Exec> </Input> define DiskEventIds 9, 11, 50, 51, 54, 55, 57, 129, 1066, 6008 <Input diskcheck> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='System'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%DiskEventIds%) drop(); </Exec> </Input> <Output udpLogon> Module om_udp Host 10.0.0.220 Port 1517 </Output> <Output udpDisk> Module om_udp Host 10.0.0.220 Port 1518 </Output> <Route 1> Path eventlog => udpLogon </Route> <Route 2> Path diskcheck => udpDisk </Route> I don't know what the issue is. I am using tcpdump on the graylog server and am not receiving anything on that port (1518) despite event viewer showing several logs with 129 and 55 EventIDs. Any help would be appreciated. Yes, the port is open.

Hi Team, I have installed the NXlog community edition (nxlog-ce-2.10.2150.msi) on our windows server and I am trying to collect the Firewall (ASA) logs in windows server through NXlog. I have used the following configuration but I am not receiving any logs. Can you help me on this <Extension json> Module xm_json </Extension> ##Extension to format the message in syslog format <Extension syslog> Module xm_syslog </Extension> ########## INPUTS ########### <Input in_syslog_tcp> Module im_tcp Host 0.0.0.0 Port 1514 Exec parse_syslog(); </Input> ############ OUTPUTS ############## <Output file> Module om_file File "C:\test\asa.log" Exec to_syslog_ietf(); </Output> <Route file> Path in_syslog_tcp => file </Route>

Hi, I am trying to collect Windows DNS debug logs with Nxlog xm_multiline. I reference below link: Parsing Detailed DNS Logs With Regular Expressions (https://nxlog.co/documentation/nxlog-user-guide/windows-dns-server.html#parsing-detailed) But, Windows DNS Debug Logs includes Traditional Chinese characters, it won't let me combine multiline into one log, What is correct "HEADER_REGEX" that should I use? DNS Debug Logs sample is (I beleive problem is 上午, By the way, 上午=AM and 下午=PM): 2020/3/6 上午 11:58:01 0E80 PACKET 000001D80FE9BD40 UDP Snd 10.0.35.101 a3f5 R Q [8081 DR NOERROR] A (5)e3998(1)d(10)akamaiedge(3)net(0) UDP response info at 000001D80FE9BD40 Socket = 724 Remote addr 10.0.35.101, port 56423 Time Query=283057, Queued=283057, Expire=283060 Buf length = 0x0200 (512) Msg length = 0x0038 (56) Message: XID 0xa3f5 Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 1 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name "(5)e3998(1)d(10)akamaiedge(3)net(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x0028, RR count = 0 Name "C00Ce3998(1)d(10)akamaiedge(3)net(0)" TYPE A (1) CLASS 1 TTL 20 DLEN 4 DATA 96.7.252.200 AUTHORITY SECTION: empty ADDITIONAL SECTION: empty Nxlog configuration sample is: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _charconv> Module xm_charconv AutodetectCharsets BIG-5, utf-8, utf-16, utf-32, iso8859-2 </Extension> <Extension gelf> Module xm_gelf </Extension> define EVENT_REGEX /(?x)(?<Date>\d+(?:/\d+){2})\s (?<Time>\d+(?::\d+){2})\s (?<ThreadId>\w+)\s+ (?<Context>\w+)\s+ (?<InternalPacketIdentifier>[[:xdigit:]]+)\s+ (?<Protocol>\w+)\s+ (?<SendReceiveIndicator>\w+)\s (?<RemoteIP>[[:xdigit:].:]+)\s+ (?<Xid>[[:xdigit:]]+)\s (?<QueryType>\s|R)\s (?<Opcode>[A-Z]|?)\s (?<QFlags>[(.?)])\s+ (?<QuestionType>\w+)\s+ (?<QuestionName>.)\s+ (?<LogInfo>.+)\s+.+=\s (?<Socket>\d+)\s+ Remote\s+ addr\s (?<RemoteAddr>.+),\sport\s (?<PortNum>\d+)\s+Time\sQuery= (?<TimeQuery>\d+),\sQueued= (?<Queued>\d+),\sExpire= (?<Expire>\d+)\s+.+( (?<BufLen>\d+))\s+.+( (?<MsgLen>\d+))\s+Message:\s+ (?<Message>(?s).*)/ define HEADER_REGEX /(?x)(?<Date>\d+(?:/\d+){2})\s (?<AMPM>\x{e4}\x{b8}\x{8a}\x{e5}\x{8d}\x{88})\s (?<Time>\d+(?::\d+){2})\s (?<ThreadId>\w+)\s+ (?<Context>\w+)\s+ (?<InternalPacketIdentifier>[[:xdigit:]]+)\s+ (?<Protocol>\w+)\s+ (?<SendReceiveIndicator>\w+)\s (?<RemoteIP>[[:xdigit:].:]+)\s+ (?<Xid>[[:xdigit:]]+)\s (?<QueryType>\s|R)\s (?<Opcode>[A-Z]|?)\s (?<QFlags>[(.?)])\s+ (?<QuestionType>\w+)\s+ (?<QuestionName>.)/ <Extension multiline> Module xm_multiline HeaderLine %HEADER_REGEX% </Extension> <Input windnsdetaillog> Module im_file File 'C:\dns.log' Exec convert_fields("BIG-5", "utf-8"); InputType multiline Exec if $raw_event =~ /(\d+)/(\d+/\d+)\s(上午\s)(\d+:\d+:\d+\s)((.|\n))/ $raw_event = $2 + '/' + $1 + ' ' + $4 + 'AM ' + $5; Exec if $raw_event =~ /(\d+)/(\d+/\d+)\s(下午\s)(\d+:\d+:\d+\s)((.|\n))/ $raw_event = $2 + '/' + $1 + ' ' + $4 + 'PM ' + $5; <Exec> if $raw_event =~ %EVENT_REGEX% { $EventTime = parsedate($Date + " " + $Time + " " + $AMPM); delete($Date); delete($Time); } </Exec> </Input> <Input wineventin> Module im_msvistalog </Input> <Output windnsdetaillogout> Module om_tcp Host 192.168.11.3 Port 12198 OutputType GELF_TCP </Output> <Output wineventout> Module om_udp Host 192.168.11.3 Port 12196 OutputType GELF </Output> <Route 1> Path wineventin => wineventout </Route> <Route 2> Path windnsdetaillog => windnsdetaillogout </Route>